Apple is fixing a macOS flaw that exposes snippets of 'encrypted' emails
Apple is working to fix an issue that makes it possible to read portions of encrypted email in macOS after an IT specialist discovered a flaw in the way Mail's messages are handled by Siri. The problem affects macOS versions from Sierra to Catalina.
It is important to note that there are a number of criteria that have to be met for the issue to rear its head, but the fact that it is possible at all is still a concern. For a company that has just been shouting about its privacy policies, the timing is less than ideal -- particularly as Apple has been aware of the problem since July.
- Apple refreshes its privacy portal and seeks to differentiate itself from Google, Facebook et al
- Apple's macOS Catalina 10.15.1 update adds AirPods Pro support, new Siri privacy options and gender-neutral emoji
- Apple warns users to upgrade their old iPhones and iPads or face GPS and time issues
The issue was discovered by Bob Gendler and reported to Apple on 29 July. As detailed in a lengthy Medium post, he found that the snippets.db file used by Siri to make suggestions was storing texts from messages that were supposed to be encrypted. On top of this, it does not even matter if Siri is disabled.
So, what's the story, and how concerned do you need to be?
As mentioned, the problem only appears in a fairly limited set of circumstances -- although that's not really the point. Gendler sets out the issue as follows:
The snippets.db database is storing encrypted Apple Mail messages... completely, totally, fully -- UNENCRYPTED -- readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal. This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.
In order to be affected by the problem, you have to be using the Mail app to send encrypted emails, but you also have to have the whole-drive encryption feature of FileVault disabled. And, of course, someone would need to go hunting for the database in question to shift through short snippets of emails, not entire messages. This reduces the number of people who need worry, and also reduces the impact for those who could be affected.
But the problem is still concerning, and the fact that Apple only responded to Gendler's alert after three months is even more alarming.
Now the company says that it is working on a fix that will be rolled out on due course, but in the meantime it is worth enabling FileVault if you have not done so already. You can also stop Siri from gathering information from emails by heading to System Preferences > Siri > Siri Suggestions & Privacy > Mail and disabling the Learn from this App setting.